diff --git a/repository/manage_instances.php b/repository/manage_instances.php index 7c4ac7863c8..b9194412e06 100644 --- a/repository/manage_instances.php +++ b/repository/manage_instances.php @@ -106,6 +106,14 @@ if (!empty($new)){ $type = repository::get_type_by_id($instance->options['typeid']); } +// The context passed MUST match the context of the repository. And as both have to be +// similar, this also ensures that the context is either a user one, or a course one. +if (!empty($instance)) { + if ($instance->instance->contextid != $context->id) { + print_error('invalidcontext'); + } +} + if (isset($type)) { if (!$type->get_visible()) { print_error('typenotvisible', 'repository', $baseurl); @@ -150,11 +158,6 @@ if (!empty($edit) || !empty($new)) { if ($instance->readonly) { throw new repository_exception('readonlyinstance', 'repository'); } - // System instances settings should not be accessible here. - $repocontext = context::instance_by_id($instance->instance->contextid); - if ($repocontext->contextlevel == CONTEXT_SYSTEM) { - throw new repository_exception('nopermissiontoaccess', 'repository'); - } // Check if we can read the content of the repository, if not exception is thrown. repository::check_capability($context->id, $instance); $instancetype = repository::get_type_by_id($instance->options['typeid']); @@ -213,6 +216,8 @@ if (!empty($edit) || !empty($new)) { if ($instance->readonly) { throw new repository_exception('readonlyinstance', 'repository'); } + // Check if we can read the content of the repository, if not exception is thrown. + repository::check_capability($context->id, $instance); if ($sure) { if (!confirm_sesskey()) { print_error('confirmsesskeybad', '', $baseurl);